Malspam Campaign Uses DoubleClick Redirects to Deliver .NET Loader

A sophisticated malspam campaign uses DoubleClick redirects and on-the-fly personalized lure pages to bypass email gateways and deliver a five-stage malware chain that culminates in a process-hollowed payload; the .NET loader performs VM/sandbox detection, patches AMSI/ETW, disables Defender, establishes persistence, injects into legitimate signed processes, and communicates with DDNS-based C2 servers. The report provides domains, file paths, hashes, user-agent and other IOCs, plus mitigation recommendations such as blocking script execution, enhanced email sandboxing, and monitoring for suspicious child processes and staging directories.